                  [SunWorld Online News - September]
 
                          Def Con III report
 
          Companies face lawsuits for network security lapses
 
 LAS VEGAS -- Companies that don't adequately secure their networks
 will face the wrath of shareholders and others who stand to lose
 from information leaks, said a former CIA spy at the Def Con III
 show here in early August.
 
 Executives focused on keeping costs down are overlooking the need
 for software that will prevent or minimize the risk of network
 break-ins, said Robert Steele, who was also a Marine Corps
 intelligence officer and now does consulting. As a result, those
 executives will eventually be held liable and stockholders will sue
 them for failing to secure the networks, he said.
 
 "The value of proprietary information is being eroded," Steele said.
 
 Def Con III is the third annual gathering of tribes in the user,
 vendor, security, and intelligence communities. The informal mission
 of Def Con is to discuss computer security issues in an open forum.
 Approximately 470 attendees visited this year's Def Con.
 
 A spokesman for a company that sells security software said his
 firm's clients recognize the risk of negligence.
 
 "Corporate executives and officers of publicly traded companies are
 aware that their fiduciary responsibility extends to protecting
 their information assets," said Tommy Ward, strategic applications
 manager for Digital Pathways of Mountain View, CA. "The real assets
 of America are in electronic storage."
 
 Some companies even go so far as to cover up network break-ins so
 they won't be fingered, according to Ward who added, "Banks are
 especially guilty of this."
 
 Interest in security began to surge after the Computer Emergency
 Response Team, a government-corporate consortium that monitors
 Internet security, sent out an advisory Feb. 3, 1994, warning users
 to replace static passwords with one-time passwords, which change
 with each log-in, because there had been "concerted, massive attacks
 throughout the world."
 
 "Corporations and organizations are essentially paying lip service
 to security," said Craig Alesso, marketing director at Secure
 Computing Corp. in Roseville, MN, which released version 2.0 of its
 Sidewinder applications-level Internet firewall software the week
 before the conference.
 
 "Our customers are more concerned about competitors getting
 information, or mistakes internal users may make" by inadvertently
 releasing information, Alesso said.
 
 To improve its product, Secure Computing is unofficially enlisting
 computer hackers, oft-maligned experts at penetrating networks, as
 beta testers. The company has created a challenge site on the
 Internet and encourages hackers to break through. Anyone successful
 -- none to date -- gets bragging rights and an MA-1 flight jacket.
 
 Former CIA spy Steele sees hackers as potential renegade heroes in
 the quest for network security and said they are a "major national
 resource" because they force systems administrators to tighten
 networks.
 
 "Hackers are not the poison, they're the antidote," he told the
 crowd of mostly hackers. "They're pushing the envelope ... They're
 making the systems healthier."
 
 Social engineering
 At other Def Con III venues, attendees swapped tips on how to crack
 computer networks and evade arrest, and the keynote speaker
 discussed the need for maintaining the privacy of individuals via
 encryption.
 
 The US National Security Agency cites terrorism concerns in favoring
 inferior technology -- specifically, the Clipper Chip, which gives
 government officials a key to decrypt encoded data -- over superior
 technology that enables only the recipient to decrypt data, said
 Bruce Schenier, an author and president of Counterpane Systems, an
 Oak Park, Ill., consulting firm specializing in computer security.
 
 As a result, the US government bans the export of products
 containing any but the weakest encryption software. Such law
 undermines US businesses, as well as the notion of encryption
 itself, Schenier said.
 
 "US companies can choose to cripple their products or ignore the
 international marketplace," he said.
 
 Encryption software must be universally used to be effective,
 Schenier suggested. "For cryptography to be successful, it has to be
 ubiquitous, to protect the important and the trivial," he said.
 "Cryptography is the great equalizer in the world. It makes my stuff
 just as secure as the government's."
 
 Certain organizations and government agencies are recognizing the
 benefits of the technology in areas other than electronic mail. The
 states of Utah, California and Colorado are considering adopting
 legislation to authorize digital signatures, the Internal Revenue
 Service is preparing to allow citizens to file tax returns
 electronically using such signatures and the American Bar
 Association is drafting model legislation governing encryption,
 Schenier said.
 
                  ----------------------------------
 
                     "Hackers are not the poison,
                        they're the antidote."
 
                  ----------------------------------
 
 Other countries deal with information privacy differently. In
 France, citizens accept laws that require them to give police a key
 to decrypt their data, whereas Canadian officials created a privacy
 advocacy bureau to make sure that agencies and organizations don't
 infringe on anyone's right to privacy, he said.
 
 From other parts of the conference:
 
    *  Susan Thunder, a self-proclaimed hacker, told the Def Con III
      crowd how to use social engineering or "psychological
      subversion" to get passwords and other sensitive information
      from company employees. Hackers posing as new or temporary
      employees can be particularly successful, she said. In
      addition, she recommended dumpster diving, or rummaging through
      trash, to find out more about a company and its computer
      system.
 
      In one possible scenario, Thunder suggested a hacker calling a
      worker in data processing and asking for a new password,
      claiming that someone saw it being typed in. The hacker, posing
      as a worker from data processing, then calls the employee whose
      password is being used and informs the worker of the new
      password as part of a routine security measure.
 
      Conscientious hackers can then mischievously remind employees
      about the need to guard their passwords. "I get off on giving a
      little lecture on security while I'm compromising it," she
      said.
 
    *  In a popular session entitled "Hacking Sucks!" Stephen Cobb,
      an author and consultant who works at the National Computer
      Security Association, played devil's advocate. Cobb said that
      hacking is wrong because it violates people's right to privacy,
      increases the cost of computers and communications, deters
      computer usage, and is illegal. Listeners politely disagreed,
      citing the surge in Internet use and instances of unlawful
      government invasion of privacy.
 
    *  In another heavily attended session, self-proclaimed hacker
      "Deth Vegetable" discussed why "The media sucks!" Vegetable
      once posted a file to the Internet that explained how to make
      explosives. Two boys were injured allegedly attempting to
      follow the recipe ("I don't know how they could have gotten it
      wrong"), and he was vilified in news reports, he said.
      Vegetable, who posted his "anarchist writings" a decade or so
      ago, said he was harassed by CBS for an interview following the
      Oklahoma bombing in April.
 
    *  Celebrities at the conference included a few Hollywood
      producers, including Larry Lasker, who wrote the screenplays
      for "Sneakers" and "War Games." The producers were conducting
      research for a film on hackers that they are plotting. They
      found plenty of fodder, particularly in the juvenile set. One
      quick-fingered 14-year-old, tracked down by a private
      investigator because his parents said he ran away to attend Def
      Con, would be a natural as "The Littlest Hacker."
 
      Also enjoying celebrity status was Sun employee Dan Farmer, the
      creator of SATAN (Security Analysis Tool for Auditing Networks)
      software that probes Unix networks for security weaknesses.
 
    *  Among the activities here were midnight rounds of "Hacker
      Jeopardy," a hack radio broadcast in which enterprising
      attendees jammed a local radio station, and a "Spot-The-Fed"
      contest, in which the keen-eyed winners and their government
      counterparts received "I spotted the fed!" and "I am the fed!"
      t-shirts.
 
    *  Other features were raffles for a hard drive, a cellular
      telephone, a package of "HACKS" breath mints from the UK and a
      set of keys that purportedly unlock a cafeteria on the
      Microsoft Corp. campus in Redmond, Wash. Lucky attendees also
      netted software, including Portuguese and Danish language
      versions of Windows 95 software developer kits, and modems, all
      of which were thrown into the air throughout the conference.
 
    *  A constant theme at the conference was the idea that people,
      not computers or technology, are the weak link in security. A
      hacker named Glitch told a friend about lax security at the Las
      Vegas airport. He described a sign next to a door that gave
      explicit instructions on how to enter, including the keys to
      press and a secret four-digit number, a relatively small
      combination to crack for someone accustomed to breaking complex
      computer code.
 
      "It would take me all of five minutes to get in," Glitch said.
      "That's the thing about most computer stuff. People are
      stupid!" -- Elinor Mills IDG News Service, San Mateo Bureau
 
 --------------------------------------------------------------------
 
 URLs mentioned in this article
 * Central Intelligence Agency http://www.odci.gov/cia
 * Clipper Chip discussion http://cpsr.org/dox/program/clipper/clipper.html
 * Computer Emergency Response Team ftp://cert.org
 * Def Con III home page http://www.defcon.org/
 * National Security Agency http://www.nsa.gov:8080/
 * National Computer Security Assoc. http://www.ncsa.com/
 * National Computer Security Resource Clearinghouse http://first.org:80/
 * Secure Computing Corp. http://www.sctc.com/
 
 --------------------------------------------------------------------
 
              [(c) Copyright 1995 Integrated Media Inc.]
 
 If you have problems with this magazine, contact webmaster@sunworld.com
 URL: http://www.sun.com/sunworldonline/swol-09-1995/swol-09-def.html
 
 Last updated: 1 September 1995







